As you may know the Microsoft approach on Privileged Access Management Feature (PAM) is quite a big feature. Planning and implementing this solution takes a lot of time. Also, many of us just want to enjoy one small part of the PAM solution. That’s why I came up with a module to manage the TTL of all members in a group in an easy way. This module allows you to set a TTL and apply it to all the members in a group with a single one-liner like this.

Set-GroupMemberTTL -Group MyTemporaryGroup -TTL 1 -TTLPeriodOfTime Days


  • At least Windows Server 2016
  • Active Directory

Installing the needed Features and the Module

The install of the PAM function is as easy as it gets. Run the following line of code:

Enable-ADOptionalFeature 'Privileged Access Management Feature' -Scope ForestOrConfigurationSet -Target

After installing the needed module proceed by installing the following module from PowerShell Gallery. Feedback is appreciated, since this is my first own module 🙂

Install-Module -Name GroupMemberTTL

This introduces the following two new functions:


With those two functions, you can to get all the members and their TTL in a way you can further process it.


This is a quick and dirty explanation of how to use the modules.

Get-GroupMemberTTL Example

This shows you an example of how to check all the members of a group, this is just an improved version of Microsofts “Get-ADGroup “GroupName” -Property member -ShowMemberTimeToLive” as it gives you back an array, instead of a string with a TTL + the distinguished name.

Get-GroupMemberTTL -Group RemoteDesktop_48h_TempAccess

Example Output

Output of the Get-GroupMemberTTL

Output of the standard method

Output of the Get-ADGroup cmdlet

Set-GroupMemberTTL Example

Set-GroupMembertTTL lets you define a group and it will set all the TTLs in that group to the one you defined in -TTL. Existing TTLs will not be overwritten, unless the defined TTL is larger than the value you defined in “-TTL”. In that case, your members will be overwritten with the shorter TTL. If you need output use the “-Debug” switch, otherwise the cmdlet runs silently.

Set-GroupMemberTTL -Group RemoteDesktop_48h_TempAccess -TTL 1 -TTLPeriodOfTime Days 

Further readings

To dig further into to topic read the following article, it introduces the whole PAM function and gives you in depths instructions about all the involved topics.


Since this is my first approach to writing and publishing a module via PowerShell Gallery feedback is very welcome. If you have improvements or questions, do not hesitate to contact me.